Skip to content

🐸 Versioned release#855

Merged
theoephraim merged 1 commit into
mainfrom
bumpy/version-packages
Jul 6, 2026
Merged

🐸 Versioned release#855
theoephraim merged 1 commit into
mainfrom
bumpy/version-packages

Conversation

@bumpy-bot

@bumpy-bot bumpy-bot commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

bumpy-frog

This PR was created and will be kept in sync by bumpy based on your bump files (in .bumpy/). Merge it when you are ready to release the packages listed below:

minor Minor releases

varlock 1.9.0 → 1.10.0 CHANGELOG.md

  • Reject unknown or misspelled CLI flags with a did-you-mean suggestion instead of silently ignoring them (bump file)
  • Runtime leak detection now catches secrets in compressed responses: gzipped responses that fit in a single chunk (i.e. most pages) were never scanned, so browsers — which always send Accept-Encoding: gzip — could receive leaked sensitive values the scanner should have blocked. Brotli and zstd responses are now scanned too, and compressed chunks containing a leak fail closed (the response is killed) instead of passing through. (bump file)
    Note: since most browser traffic previously bypassed the scanner, an app with an existing undetected leak will start seeing those responses blocked after upgrading — look for DETECTED LEAKED SENSITIVE CONFIG in server logs, which names the offending config key.
  • Runtime fixes: env state is now shared across bundled copies of varlock/env (fixes stale values after env reloads when a bundler duplicates the module, including cleanup of process.env keys removed between reloads), and node:crypto is loaded lazily — with encrypted env blobs decrypting via WebCrypto on edge runtimes that lack it entirely (e.g. Vercel Edge). Minimum supported Node version is now 22.3. (bump file)
  • Windows local encryption now uses TPM-sealed keys via NCrypt when available; existing DPAPI keys auto-upgrade on the next decrypt. (bump file)
  • Generate code for Python, Rust, Go, and PHP with new per-language decorators (@generatePythonEnv, @generateRustEnv, @generateGoEnv, @generatePhpEnv). Each emits a self-contained, idiomatic module — typed coerced values, a loader that parses the injected env, and a SENSITIVE_KEYS constant — so it's usable out of the box. The TypeScript generator moves to @generateTsTypes and gains options to control process.env/import.meta.env augmentation and a monorepo-friendly exposeEnv=local mode. @generateTypes(lang=ts) still works as a deprecated alias. The varlock typegen command is renamed to varlock codegen (with typegen kept as a deprecated alias). Note: @disableProcessEnvInjection now requires a static true/false value — env-dependent values like forEnv(prod) are a schema error, since generated code must not differ per environment. (bump file)
  • icon fetching during type generation now ignores failed responses, times out after 2s, and doesn't retry failed icons within a run (bump file)
  • plugin-registered data types can now declare coercedType so generated env modules type their fields correctly (previously they always emitted as strings) (bump file)

patch Patch releases

@varlock/astro-integration 1.1.0 → 1.1.1 (cascade) CHANGELOG.md

  • Version bump via cascade rule

@varlock/cloudflare-integration 1.2.0 → 1.2.1 (cascade) CHANGELOG.md

  • Version bump via cascade rule

@varlock/nextjs-integration 1.1.3 → 1.1.4 CHANGELOG.md

  • Fix dev-server env file reloading on turbopack and Next 16. Two issues: (1) on Next 16 only the render worker calls loadEnvConfig, so the extra env-file watchers were never installed — watcher ownership is now claimed by whichever process loads env first; (2) on turbopack, non-sensitive ENV.x values were statically inlined into server files at compile time, so reloaded values were never served — in dev, server-side (node runtime) files now read env through the runtime proxy, which stays fresh across reloads. Client components and edge files still inline values (required), so those keep needing a page refresh after a full recompile. (bump file)
  • fix turbopack static ENV replacement corrupting ENV.x references inside string literals and comments — replacement is now AST-based, matching the vite integration (bump file)
  • Fix pages router and middleware support: webpack builds no longer fail on pages-router files, pages-router SSR picks up reloaded env values in turbopack dev, middleware no longer crashes the dev server or gets rejected by Vercel's edge bundle analyzer, works with turbopack dev on Next 15.5+, and encrypted deployments now work in middleware and edge routes (bump file)

@varlock/vite-integration 1.2.0 → 1.2.1 CHANGELOG.md

  • internal refactor: static ENV.x replacement code moved to a shared internal package (no behavior change) (bump file)

env-spec-language 0.2.4 → 0.2.5 CHANGELOG.md

  • Generate code for Python, Rust, Go, and PHP with new per-language decorators (@generatePythonEnv, @generateRustEnv, @generateGoEnv, @generatePhpEnv). Each emits a self-contained, idiomatic module — typed coerced values, a loader that parses the injected env, and a SENSITIVE_KEYS constant — so it's usable out of the box. The TypeScript generator moves to @generateTsTypes and gains options to control process.env/import.meta.env augmentation and a monorepo-friendly exposeEnv=local mode. @generateTypes(lang=ts) still works as a deprecated alias. The varlock typegen command is renamed to varlock codegen (with typegen kept as a deprecated alias). Note: @disableProcessEnvInjection now requires a static true/false value — env-dependent values like forEnv(prod) are a schema error, since generated code must not differ per environment. (bump file)

@github-actions github-actions Bot added release releases - managed by changesets core:varlock labels Jul 3, 2026
@bumpy-bot bumpy-bot force-pushed the bumpy/version-packages branch 2 times, most recently from ae88950 to 3c7a37c Compare July 4, 2026 04:02
@bumpy-bot bumpy-bot force-pushed the bumpy/version-packages branch 2 times, most recently from 5bab5ca to b15967d Compare July 4, 2026 06:20
@bumpy-bot bumpy-bot force-pushed the bumpy/version-packages branch 6 times, most recently from 8b1f510 to 0759f4b Compare July 6, 2026 23:16
@bumpy-bot bumpy-bot force-pushed the bumpy/version-packages branch from 0759f4b to 3bfa214 Compare July 6, 2026 23:23
@varlock/astro-integration@1.1.1
@varlock/cloudflare-integration@1.2.1
@varlock/nextjs-integration@1.1.4
@varlock/vite-integration@1.2.1
env-spec-language@0.2.5
varlock@1.10.0
@bumpy-bot bumpy-bot force-pushed the bumpy/version-packages branch from 3bfa214 to 5db438d Compare July 6, 2026 23:35
@theoephraim theoephraim merged commit dd7863b into main Jul 6, 2026
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants